Skip to content

Apparmor conflicted with ntpd: apparmor=DENIED operation=capable

Sometime, you’ll find the following logs in dmesg repeatly and frequently, it’s generally because the behavior of ntp service conflicts with apparmor.

apparmor=”DENIED” operation=”open” profile=”/usr/sbin/ntpd” name=”/etc/resolvconf/resolv.conf.d/head” pid= comm=”ntpd” requested_mask=”r” denied_mask=”r” fsuid= ouid=

Check apparmor status

aa-status
## or
cat /sys/kernel/security/apparmor/profiles

output

...
/usr/sbin/ntpd (enforce)
...

Way 1. Change apparmor rule (safer)

Could change the default apparmor control rule of ntpd, the default rule locates in /etc/apparmor.d/usr.sbin.ntpd.

systemctl restart apparmor.service

Way 2. Disable ntp protect

Or, directly disable the protect/audit of ntpd from apparmor.

ln -s /etc/apparmor.d/usr.sbin.ntpd /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.ntpd
systemctl restart ntp.service

Disclaimer
  1. License under CC BY-NC 4.0
  2. Copyright issue feedback: dig +short txt issue.imzye.com
  3. Not all the commands and scripts are tested in production environment, use at your own risk
  4. No privacy information is collected here
Buy Me a Coffee